WHAT IS CZAMED IS: 




A netwo :k multiplexing and tunneling system, comprising at least two 
devices connected across a network by a secure connection created at a user-level, 
wherein the secure connection is a single encrypted Secure Sockets Layer (SSL) 
Transmission Control Protocol (TCP) connection, each of the devices authenticates 
the other device after thelsecure connection is opened, and at least one of the devices 
multiplexes other connec ions through the secure connection after both the devices 
have been authenticated. 

2. The system of claim 1, wherein the other connections are selected from 
a group comprising Transmission Control Protocol (TCP) and UDP (User Datagram 
Protocol) connections. 

3. The system of claim 1, wherein the secure connection is symmetric. 



4. The system of claim 1, wherein either endpoint of the secure 
connection can receive cinnection requests. 



5. The systein of claim 1, wherein either endpoint of the secure 
connection can receive data. 
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1 6. The system of claim 1, further comprising means for maintaining send 

2 buffers on each endpc int. 

1 7. The system of claim 1, further comprising means for forwarding data 

2 through the secure connection when there are sufficient send buffers for receiving the 

3 forwarded data on the other endpoint. 



1 8. The system of claim 1, further comprising means for queuing data 

2 received at each endpoint. 

1 9. The system of claim 8, further comprising means for dispatching the 

2 queued data at each endpoint to its final destination. 



1 10. IJhe system of claim 9, further comprising means for acknowledging 

2 receipt of the dita after the queued data is dispatched to its final destination, thereby 

3 tracking usage of buffers at the endpoint. 



1 11. The system of claim 1, further comprising means for buffering data 

2 transmitted tl rough the multiplexed other connections for flow control through the 

3 secure connection. 
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12. The system of claim 1, further comprising means for resolving domain 
names through the secure connection. 

13. The system oftlaim 1, further comprising means for operating the 
secure connection according t\ a mode selected from a group comprising a standalone 



proxy mode, a packet filter mo< 



e, and a SOCKetS server (SOCKS) mode. 



14. The system of claim 1, wherein the endpoints comprise a Portal and a 



Gate. 



15. The system of clairh 14, wherein the Gate comprises a server executed 
by a firewall bastion host comput : 



sr. 



16. The system of claim 14, wherein the Portal comprises a client executed 
by a user's computer. 

17. The system of clair i 1, further comprising means for accessing an 
Intranet from the Internet using tfye secure connection. 
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18. The system of claim 17, further comprising means for creating a 
connection from a Portal on a client computer on the Internet to a Gate on a firewall 
bastion host computer on the Intranet through the secure connection. 



19. The system of claim 17, further comprising means for creating a 
connection from a Portal on a client computer on the Internet to a proxy on a 
firewall bastion host computer on the Intranet through the secure connection and 
from the proxy to a Gate on k host computer on the Intranet through the secure 
connection. 



20. The system of cl 
connection from a Portal on a 
firewall bastion host compute 
from the packet filer to a Gat( 
connection. 



aim 17, further comprising means for creating a 
client computer on the Internet to a packet filter on a 
on the Intranet through the secure connection and 
on a host computer on the Intranet through the secure 



1 21. The system of claim 1, further comprising means for accessing the 

2 Internet from an Intranet using the secure connection. 
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22. The system of claim 21, further comprising means for creating a 
connection from a Portal on a client computer on/the Intranet to a Gate on a host 
computer on the Internet through the secure connection. 

23. The system of claim 21, further comprising means for creating a 
connection from a Portal on a firewall bastion host computer on the Intranet to a 
host computer on the Internet through the secure connection. 

24. The system of claim 21, further comprising means for creating a 
connection from a PortaLon a client computer on the Intranet to a proxy on a 
firewall bastion host computer on the Intranet through the secure connection and 
from the proxy to a Gate on a host computer on the Internet through the secure 
connection. / 

25. /The system of claim 21, further comprising means for creating a 
connection/from a Portal on a client computer on the Intranet to a packet filter on a 
firewall bastion host computer on the Intranet through the secure connection and 
from the packet filer to a Gate on a host computer on the Internet through the secure 
connection. 
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26. The system of claim 1, further comprising means for accessing a first 
Intranet from a second Intranet across the Internet using the secure connection. 



i. 



27. The system of cjaim 26, further comprising means for creating a 
connection from a Portal on a client computer on the first Intranet to a Gate on a 
firewall bastion host computer dn the first Intranet through the secure connection, 
and from the Gate on the firewall bastion host computer on the first Intranet through 
the Internet to a Gate on a firewall bastion host computer on the second Intranet 
through the secure connection, a id from the Gate on the firewall bastion host 
computer on the second Intranet to a host computer on the second Intranet through 
the secure connection. 



1 28. The system of claim 1, wherein records are exchanged between the 

2 endpoints of the secure connection. 

1 29. The system of claim 28, wherein the records are selected from a group 

2 comprising: UsherOpen, UsherOpenReply, UsherSend, UsherClose, UsherSendUdp, 

3 Usher Ack, UsherEnd, and/UsherRST records. 

1 30. The system! of claim 29, wherein the UsherOpen records are sent by a 

2 Portal to a Gate to open alTransmission Control Protocol (TCP) connection. 
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1 31. The smem of claim 29, wherein the UsherOpenReply records are sent 

2 by a Gate to a Portal to respond to an UsherOpen record. 

1 32. The system of claim 29, wherein the UsherSend records are sent by 

2 either a Gate or a Portal to transrnit data therebetween. 



33. The system of claiml29, wherein the Usher Ack records are sent by 



2 either a Gate or a Portal to ackno-s 

1 34. The system of claim 

2 when data received by either a Gat) 

3 its destination. 



edge a receipt of data therebetween. 

19, wherein the UsherAck records are not send 
or a Portal is queued prior to being forwarded to 



1 35. The system of claim 29, wherein the UsherAck records are sent only 

2 when data received by either a Gate or a Portal has been forwarded to its destination. 



1 
2 



36. The system of claim 29, wherein the UsherClose records are sent by 
either a Gate or a Portal to terminate a session. 
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1 37. The system of claim 29, wherein the UsherSendUdp records are sent 

2 by either a Gate or a Portal to tra: ismit UDP (User Datagram Protocol) packets 

3 therebetween. 

1 38. The system of claim 29, wherein the UsherEnd records are sent by 

2 either a Gate or a Portal to terminate a multiplexed other connection. 



1 39. The system of claim 29, wherein the UsherRST records are sent by 

2 either a Gate or a Portal to reset a multiplexed other connection. 
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A transmission media communicating data via a secure connection 
created at a user-level between two endpoints in a network, wherein the secure 
connection is a single encrypted Secure Sockets Layer (SSL) Transmission Control 
Protocol (TCP/ connection, each of the endpoints authenticates the other device after 
the secure connection is opened, and at least one of the endpoints multiplexes other 
connections through the secure connection after both the endpoints have been 
authenticatled. 
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41. The transmission media of claim 40, wherein the other connections are 

2 selected from a group comprising Transmission Control Protocol (TCP) and UDP 

3 (User Datagram Protocol) connections. 



42. The transmission media of claim 40, wherein the secure connection is 



2 symmetric. 



43. The transmission r ledia of claim 40, wherein either endpoint of the 



2 secure connection can receive con 



aection requests. 



1 44. The transmission itiedia of claim 40, wherein either endpoint of the 

2 secure connection can receive data. 



1 
2 
3 



45. The transmission media of claim 40, further comprising maintaining 



2 send buffers on each endpoint 



46. The transmissi 



3n media of claim 40, further comprising forwarding 



receiving the forwarded data 



data through the secure connection when there are sufficient send buffers for 



m the other endpoint. 
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1 47, The transmission media of claim 40, further comprising queuing data 

2 received at each endpointJ 



1 48. The transmission media of claim 47, further comprising dispatching 

2 the queued data at each endpoikt to its final destination. 



1 49. The transmission 

2 acknowledging receipt of the daft 

3 destination, thereby tracking us&ge 



1 



50. The transmissioi 



media of claim 48, further comprising 
a after the queued data is dispatched to its final 
of buffers at the endpoint. 



media of claim 40, further comprising buffering data 

2 transmitted through the multiplexed other connections for flow control through the 

3 secure connection. 



1 51. The transmission media of claim 40, further comprising resolving 

2 domain names through the secure connection. 

1 52. The transmission media of claim 40, further comprising operating the 

2 secure connection according ti a mode selected from a group comprising a standalone 

3 proxy mode, a packet filter moae, and a SOCKetS server (SOCKS) mode. 
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1 53. The transmission media of claim 40, wherein the endpoints comprise a 

2 Portal and a Gate. 



1 54. The transmission Vnedia of claim 53, wherein the Gate comprises a 

2 server executed by a firewall bastion host computer. 

1 55. The transmission n Ledia of claim 53, wherein the Portal comprises a 

2 client executed by a user's computer. 



1 56. The transmission/media of claim 40, further comprising accessing an 

2 Intranet from the Internet using the secure connection. 

1 57. The transmission media of claim 56, further comprising creating a 

2 connection from a Portal on a client computer on the Internet to a Gate on a firewall 

3 bastion host compute/ on the Intranet through the secure connection. 
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58. The transmission media of claim 56, further comprising creating a 
connection from a Portal on a client computer on the Internet to a proxy on a 
firewall bastion host computer on the Intranet through the secure connection and 
from the proxy to a Gate on a host computer on the Intranet through the secure 
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1 59. The transmission media of claim 56, further comprising creating a 

2 connection from a Portal on a client computer on the Internet to a packet filter on a 

3 firewall bastion host computer on the Intranet through the secure connection and 

4 from the packet filer to a GateW a host computer on the Intranet through the secure 

5 connection. 

1 60. The transmission mqdia of claim 40, further comprising accessing the 



2 Internet from an Intranet using the 



secure connection. 



1 61. The transmission media of claim 60, further comprising creating a 

2 connection from a Portal on a client computer on the Intranet to a Gate on a host 

3 computer on the Internet througn the secure connection. 



1 62. The transmission media of claim 60, further comprising creating a 

2 connection from a Portal on a /firewall bastion host computer on the Intranet to a 

3 host computer on the Internet through the secure connection. 
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63. The transmission media of claim 60, further comprising creating a 
connection from a Portal on k client computer on the Intranet to a proxy on a 
firewall bastion host computer on the Intranet through the secure connection and 
from the proxy to a Gate on a hosti computer on the Internet through the secure 



connection. 



connection from a Portal on a client 



firewall bastion host computer on 
from the packet filer to a Gate on a 



64. The transmission mecjia of claim 60, further comprising creating a 

computer on the Intranet to a packet filter on a 

Intranet through the secure connection and 
lost computer on the Internet through the secure 



the 



connection. 



1 65. The transmission mjbdia of claim 40, further comprising accessing a 

2 first Intranet from a second Intranet across the Internet using the secure connection. 

1 66. The transmission /media of claim 65, further comprising creating a 

2 connection from a Portal on a olient computer on the first Intranet to a Gate on a 

3 firewall bastion host computer on the first Intranet through the secure connection, 

4 and from the Gate on the firewall bastion host computer on the first Intranet through 

5 the Internet to a Gate on a firewall bastion host computer on the second Intranet 
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6 through the secure connection, and from the Gate on the firewall bastion host 

7 computer on the second Intranet to a host computer on the second Intranet through 

8 the secure connection. 



1 



1 



1 



67. The transmission media of claim 40, wherein records are exchanged 



2 between the endpoints of the secure connection. 



68. The transmission 



2 from a group comprising: 

3 UsherSendUdp, UsherAck, 



69. The transmission 



media of claim 67, wherein the records are selected 
UsheijOpen, UsherOpenReply, UsherSend, UsherClose, 
UshferEnd, and UsherRST records. 



media of claim 68, wherein the UsherOpen records 

2 are sent by a Portal to a Gate to| open a Transmission Control Protocol (TCP) 

3 connection. 



1 



70. The transmission media of claim 68, wherein the UsherOpenReply 



2 records are sent by a Gate to 



71. The transmiss 



a Portal to respond to an UsherOpen record. 



on media of claim 68, wherein the UsherSend records 



2 are sent by either a Gate or alPortal to transmit data therebetween. 
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72. The transmission media of claim 68, wherein the Usher Ack records are 
sent by either a Gate or a\Portal to acknowledge a receipt of data therebetween. 



73. The transmission media of claim 68, wherein the Usher Ack records are 
not send when data received by\ither a Gate or a Portal is queued prior to being 
forwarded to its destination. 



74. The transmission m 
sent only when data received by 
destination. 



edia of claim 68, wherein the Usher Ack records are 
either a Gate or a Portal has been forwarded to its 



75. The transmission media of claim 68, wherein the Usher Close records 
are sent by either a Gate or a Poipl to terminate a session. 



76. The transmission media of claim 68, wherein the UsherSendUdp 
records are sent by either a Gatfe or a Portal to transmit UDP (User Datagram 
Protocol) packets therebetween. 

77. The transmission media of claim 68, wherein the UsherEnd records are 
sent by either a Gate or a Portal to terminate a multiplexed other connection. 
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1 78. The transmission media of claim 68, wherein the UsherRST records 

2 are sent by either a Gate ona Portal to reset a multiplexed other connection. 



1 
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79/ A method for network multiplexing and tunneling, comprising: 
'(a) opening a single Transmission Control Protocol (TCP) connection at a 
user-level between at least two e idpoints in the network; 

(b) establishing a Secure ! lockets Layer (SSL) over the opened Transmission 
Control Protocol (TCP) connection; 

ig each of the endpoints of the SSL TCP connection; 



(c) mutually authenticati 



and 



(d) multiplexing other connections through the secure connection once both 
of the endpoints have been authenticated. 



1 80. The method off claim 79, wherein the other connections are selected 

2 from a group comprising Transmission Control Protocol (TCP) and UDP (User 

3 Datagram Protocol) connections. 

1 81. The method of claim 79, wherein the secure connection is symmetric. 

1 82. The method of claim 79, wherein either endpoint of the secure 

2 connection can receive connection requests. 
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83. The method of claim 79, wherein either endpoint of the secure 



connection can receive data. 



84. The method q>f claim 79, further comprising maintaining send buffers 
on each endpoint. 

85. The method off claim 79, further comprising forwarding data through 
the secure connection when there are sufficient send buffers for receiving the 
forwarded data on the othen endpoint. 



86. The methocjf of claim 79, further comprising queuing data received at 
each endpoint. 

87. The metHod of claim 86, further comprising dispatching the queued 
data at each endpoint t© its final destination. 



quel ed 



the data after the 
usage of buffers at the 



88. The me'thod of claim 87, further comprising acknowledging receipt of 
data is dispatched to its final destination, thereby tracking 
endpoint. 
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89. The method of claim 79, further comprising buffering data transmitted 
through the multiplexed other connections for flow control through the secure 



connection. 



90. The method cf claim 79, further comprising resolving domain names 
through the secure connection. 

91. The method o; claim 79, further comprising operating the secure 
connection according to a m< >de selected from a group comprising a standalone proxy 
mode, a packet filter mode, and a SOCKetS server (SOCKS) mode. 



92. The method jbf claim 79, wherein the endpoints comprise a Portal and 



a Gate. 



93. The method of claim 92, wherein the Gate comprises a server executed 
by a firewall bastion host computer. 



94. The method of claim 92, wherein the Portal comprises a client 
executed by a user's computer. 
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1 95. The method of claim 79, further comprising accessing an Intranet from 

2 the Internet using the sdcure connection. 



1 



96. The method of claim 95, further comprising creating a connection 



2 from a Portal on a client co 

3 host computer on the Intrane 



puter on the Internet to a Gate on a firewall bastion 
; through the secure connection. 



1 97. The method ol claim 95, further comprising creating a connection 

2 from a Portal on a client computer on the Internet to a proxy on a firewall bastion 

3 host computer on the Intrant t through the secure connection and from the proxy to 

4 a Gate on a host computer on the Intranet through the secure connection. 



1 98. The method if claim 95, further comprising creating a connection 

2 from a Portal on a client computer on the Internet to a packet filter on a firewall 

3 bastion host computer on the Intranet through the secure connection and from the 

4 packet filer to a Gate on alhost computer on the Intranet through the secure 

5 connection. 

1 99. The method of claim 79, further comprising accessing the Internet 

2 from an Intranet using theWcure connection. 
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100. The memod of claim 99, further comprising creating a connection 
from a Portal on a clientVomputer on the Intranet to a Gate on a host computer on 
the Internet through the secure connection. 



1 

2 
3 



1 101. The method of tlaim 99, further comprising creating a connection 

2 from a Portal on a firewall bastion host computer on the Intranet to a host computer 

3 on the Internet through the sect re connection. 



1 102. The method of claim 99, further comprising creating a connection 

2 from a Portal on a client compu :er on the Intranet to a proxy on a firewall bastion 

3 host computer on the Intranet t irough the secure connection and from the proxy to 

4 a Gate on a host computer on ti e Internet through the secure connection. 



1 103. The method of claim 99, further comprising creating a connection 

2 from a Portal on a client computer on the Intranet to a packet filter on a firewall 

3 bastion host computer on the Intranet through the secure connection and from the 

4 packet filer to a Gate on a host computer on the Internet through the secure 

5 connection. 



104. The method o 



2 from a second Intranet acros; 



claim 79, further comprising accessing a first Intranet 
the Internet using the secure connection. 
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1 105. The methbd of claim 104, further comprising creating a connection 

2 from a Portal on a client computer on the first Intranet to a Gate on a firewall 

3 bastion host computer on thefirst Intranet through the secure connection, and from 

4 the Gate on the firewall bastion host computer on the first Intranet through the 

5 Internet to a Gate on a firewall bastion host computer on the second Intranet through 

6 the secure connection, and from the Gate on the firewall bastion host computer on 

7 the second Intranet to a host computer on the second Intranet through the secure 

8 connection. 

1 106. The method of claim 79, wherein records are exchanged between the 

2 endpoints of the secure connection 

1 107. The method of claim 106, wherein the records are selected from a 

2 group comprising: UsherOpen, UiherOpenReply, UsherSend, UsherClose, 

3 UsherSendUdp, UsherAck, UsherEnd, and UsherRST records. 

1 108. The method of claim 107, wherein the UsherOpen records are sent by 

2 a Portal to a Gate to open a Transmission Control Protocol (TCP) connection. 

1 109. The method of dlaim 107, wherein the UsherOpenReply records are 

2 sent by a Gate to a Portal to resbond to an UsherOpen record. 
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110. The method of claim 107, wherein the UsherSend records are sent by 
either a Gate or a Portal to transmit data therebetween. 



111. The method of claim 107, Therein the Usher Ack records are sent by 
either a Gate or a Portal to acknowledge a receipt of data therebetween. 



112. The method of claim 107, wherein the Usher Ack records are not send 

/ 

when data received by either a )&ate or a Portal is queued prior to being forwarded to 
its destination. 



113. The method of claim 107, wherein the UsherAck records are sent only 

// 

when data received by ^either a Gate or a Portal has been forwarded to its destination. 



114. The /method of claim 107, wherein the UsherClose records are sent by 

// 

either a Gate or a Portal to terminate a session. 



115.7 The method of claim 107, wherein the UsherSendUdp records are sent 
by either^ Gate or a Portal to transmit UDP (User Datagram Protocol) packets 
therebetween. 
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1 1 16. The mathod of claim 107, wherein the UsherEnd records are sent by 

2 either a Gate or a PortaPto terminate a multiplexed other connection. 

1 117. The method of claim 107, wherein the UsherRST records are sent by 

1 

2 either a Gate or a Portal to rejet a multiplexed other connection. 



V 



PJ 



-58- 



AM998125 



